ClassLoader manipulation vulnerability

重大度

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels of Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

説明

We have fixed a vulnerability in our fork of Apache Struts. Attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Crowd web interface. In cases when anonymous access is enabled, a valid user account is not required to exploit this vulnerability.

We have discovered this vulnerability during our review of the recent Struts security advisories. This vulnerability is specific to Crowd.

The vulnerability affects all versions of Crowd earlier than and and including 2.7. Crowd 2.5.7, 2.6.7, 2.7.2 are not vulnerable. The issue is tracked inCWD-3904 - Getting issue details...STATUS.

Risk Mitigation.

If you are unable to upgrade your Crowd server you can do the following as a temporary workaround:

Block at a reverse proxy or a firewall all requests matching the following regular expression pattern in URI parameters. Note that the example does not account for any URL encoding that may be present.

.*[?&](.*\.||.*|\[('|"))(c|C)lass(\.|('|")]|\[).*

Fix

This vulnerability can be fixed by upgrading Crowd. There are no patches available for this vulnerability.

The Security Patch Policy describes when and how we release security patches and security upgrades for our products.

Upgrading Crowd

Upgrade to Crowd 2.5.7, 2.6.7, 2.7.2, or a later version, which fixes this vulnerability. We recommend that you upgrade to the latest version of Crowd, if possible. For a full description of these releases, see the Crowd Release Notes. You can download these versions of Crowd from the download center.